Libvirt can't create new VM (logging issue) #1273
Comments
|
Can you paste in the output of the |
|
❯ groups |
|
You have the correct groups. Since 777 perms are also not resolving the issue. Can you temporarily try setting SELinux to permissive mode and try creating your VM. |
|
Thanks for the tip, but that doesn't seem to change anything: ❯ cat /etc/selinux/config | grep SELINUX= Still: I even tried to touch that log and change to 777, to make sure he's not using some weird user. In any case, I can prepare the storage volume: ❯ sudo ls -ltra /var/lib/libvirt/images ...just it's not usable. |
|
It seems to be broader F40 issue: I am not sure how often are you taking F40 images for baseline? This one seems to be resolved since 6 days ago... |
|
This is the temporary workaround I applied to get things started: |
castrojo
changed the title
|
We pull from upstream each day. I'm curious why permissive mode failed, it should of just logged the violation instead of failing. restorecon should be the fix in this situation if the file tree at that location has the wrong labels or in this case missing labels. After a restorecon I'm assuming it's now working. Since it's applied to /var it will persist through reboots. For timeline of the bug, did you do a fresh install of f40? Roughly when? |
|
Yes, indeed. All seems to be working well. I have installed my Aurora 3 days ago - a day after 2.6.0 was released (I have Framework 16, so I was waiting for some FW-related goodies, to make sure all works well). |
|
Well, I better correct myself, as after reboot I simply could not get back to OS (my root is disabled, so I could not even get to terminal to fix things). This might be due to disabling SElinux (as I ran setenforce 0), was probably not a good idea to keep it that way... not sure, simply need to reinstall. |
|
Did you do setenforce 0 while running or did you do kernel argument to disable SELinux? Setenforce 0 will only put the system into permissive mode. Bigger concern is what restorecon did you do |
|
Reinstall will likely have the same bug with /var/log/libvirt not having right labels. When you do the restorecon. Ensure that it is only on that directory and below. Do not do the auto relabel or attempt to relabel / recursively. |
|
OK, sure. Thanks a lot for the tips and you might be right. I will wait for a new image - I guess it will still come this week - and see, maybe I get lucky and the fix will be pulled from upstream. Kinoite might have received it a bit later than stock F40, so it might come with fresh ISO build. |
You are right, setenforce is temporary, but I have updated also the file to permissive and left it there, some processes might not like that. But it can indeed be rather issue with restorecon. I'll be testing it better next time. |
|
On my Aurora-dx 40 install (not rebase from 39).
So either this was a regression for your install or the files were created somehow prior to SELinux being enabled. |
|
Thanks a lot for checking @m2Giles ! My further suspicion was that I might need to keep root enabled. Maybe he can't deal with elevated privileges? Not sure, but I will try again with root enabled once 2.7.0 is out... It's quite bad I don't have a way to recover without root, so I better keep it anyways for now. |
|
I have root disabled and use my account with sudo |
|
@m2Giles How did you create your first VM? Should I follow some manual process? I have reinstalled Aurora-DX 40 fresh again, but the issue is still there. I tried to go with enabled root this time, but no difference - I can't enable virtual network and he can't create any log:
The network is failing for similar reason:
Funny enough, I still have no issues with preparing disk image in /var/lib/libvirt/images |
|
the restorecon command linked above fixed my issues too |
|
I created an alpine VM with the defaults. |
|
I am getting similar stuff also from CLI:
❯ sudo cat /etc/libvirt/qemu/networks/default.xml |
|
I would do the To see the SELinux file labels use If we need to respin ISOs, we can do that. |
|
I tried at least to go without turning off SElinux... but so far: Relabeled /var/log/libvirt from system_u:object_r:var_log_t:s0 to system_u:object_r:virt_log_t:s0 Relabeled /var/lib/libvirt from system_u:object_r:var_lib_t:s0 to system_u:object_r:virt_var_lib_t:s0 Network default started So here at least the network is catching up and all relevant dirs seem to have proper rights (comparing to F39). However installation is giving me now:
According to F40 forum from 8 days ago:
Not sure how can I check my version: |
|
OK, so I can confirm that after reboot, I can start Win11 VM. Probably just needed to properly label the processes as well (not only the dirs). @m2Giles For the reference (if we want to fix things in ISO), here are my current privileges: SElinux seems to be happy. If we want to be fully compatible with what F39 had, we can also
Still, will keep this issue for a little bit. I don't like to have this upon the boot:
Probably is this one:
|
|
You don't have the MOK installed for secureboot. Unsigned Out of tree modules will be rejected when secureboot is enabled. |
|
I ran into this with a fresh iso install. Didn't notice it at first due to transferred data labeling most files correctly but the log folder caused me issue until I restoreconed it. Below are some upstream issues I think are related and actually what's causing the labeling issues |
|
For the time being do a restorecon like you did. This is some sort of packaging difference between F39 and F40. For whatever reason the files are created with no SELinux labels and they don't get restoreconed on first boot. Since they are in a mutable location it's not a hard fix. The bigger issue is for things that have the wrong label in /usr. |
|
I'd assume whatever's causing that is also causing |
|
Was any fix found for this issue, I try to install windows 11 vm, but it fails because: swtpm at /usr/bin/swtpm does not support TPM 2 |
|
The issue is that a few libvirt files do not have the right SELinux labels. You will need to do a restorecon on /var/log/libvirt and /var/lib/libvirt/dnsmasq. They are listed above. Swtpm supports emulation of tpm2.0 |
|
I had to also do a |
castrojo
added
the
stale
Describe the bug
I would like to set up rather permanent Windows 11 VM, so I am trying to use libvirt along with its VM Manager.
Here's the error:
Unable to complete install: 'can't connect to virtlogd: Unable to open file: /var/log/libvirt/qemu/XPS.log: Permission denied'
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install
installer.start_install(guest, meter=meter)
File "/usr/share/virt-manager/virtinst/install/installer.py", line 695, in start_install
domain = self._create_guest(
^^^^^^^^^^^^^^^^^^^
File "/usr/share/virt-manager/virtinst/install/installer.py", line 637, in _create_guest
domain = self.conn.createXML(initial_xml or final_xml, 0)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.12/site-packages/libvirt.py", line 4529, in createXML
raise libvirtError('virDomainCreateXML() failed')
libvirt.libvirtError: can't connect to virtlogd: Unable to open file: /var/log/libvirt/qemu/XPS.log: Permission denied
I tried to change the dir to 777, I even tried to touch the file, but it didn't help:
❯ ls -ltra /var/log/libvirt/qemu/
total 0
drwxrwxrwx. 1 root root 8 May 7 14:29 ..
-rw-r--r--. 1 slavek slavek 0 May 7 14:32 XPS.log
drwxrwxrwx. 1 root root 18 May 7 14:32 .
I tried to go with manual setup as well as semi-automated ISO setup, both cases gave the same error.
What did you expect to happen?
I expect libvirt to start making my VM!
Output of
rpm-ostree statusState: idle AutomaticUpdates: stage; rpm-ostreed-automatic.timer: last run 1 day 1h ago Deployments: ostree-image-signed:docker://ghcr.io/ublue-os/aurora-dx:latest Digest: sha256:5d64652fe35ea16c895962b31b4c41cfaeab904c392d99cce67cd3e99640ce83 Version: 40.20240506.0 (2024-05-06T16:53:28Z) Diff: 12 upgraded ● ostree-image-signed:docker://ghcr.io/ublue-os/aurora-dx:latest Digest: sha256:8f5d5c70a409c581c25fc3d7bcc0be565a4bcc237030022fa63050244b7bfad2 Version: 40.20240505.0 (2024-05-05T16:51:55Z) ostree-image-signed:docker://ghcr.io/ublue-os/aurora-dx:latest Digest: sha256:e9d1f50e54f031f14c9edc34ecbff4e1762e46670694618b055af60830409c4d Version: 40.20240428.0 (2024-04-29T02:07:21Z)Extra information or context
I have disabled root account for the installation, if that makes any difference.
The text was updated successfully, but these errors were encountered: